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Some MIT researchers [l[ have recently claimed that their implementation of the Slutsky-Brandt 
attack [1,01 to the BB84 quantum- key-distribution (QKD) protocol puts the security of this protocol 
"to the test" by simulating "the most powerful individual-photon attack" 01 • A related unfortunate 
news feature by a scientific journal 0, has spurred some concern in the QKD community and 
among the general public by misinterpreting the implications of this work. The present article proves 
the existence of a stronger individual attack on QKD protocols with encrypted error correction, for 
which tight bounds are shown, and clarifies why the claims of the news feature incorrectly suggest 
a contradiction with the established "old-style" theory of BB84 individual attacks. 

The full implementation of a quantum cryptographic protocol includes a reconciliation and a 
privacy-amplification stage, whose choice alters in general both the maximum extractable secret 
and the optimal eavesdropping attack. The authors of [l|] are concerned only with the error-free 
part of the so-called sifted string, and do not consider faulty bits, which, in the version of their 
protocol, are discarded. When using the provably superior reconciliation approach of encrypted 
error correction (instead of error discard), the Slutsky-Brandt attack is no more optimal and does 
not "threaten" the security bound derived by Liitkenhaus 01 • 

It is shown that the method of Slutsky and collaborators 0] can be adapted to reconciliation 
with error correction, and that the optimal entangling probe can be explicitly found. Moreover, this 
attack fills Lutkenhaus bound, proving that it is tight (a fact which was not previously known). 

PACS numbers: 03.67.-a, 03.67.Dd 
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I. INTRODUCTION 



Quantum cryptography, or, more properly, quantum 
key distribution (QKD) is a discipline investigating tech- 
niques to grow, out of a common secret key, a larger key 
between two remote parties (Alice and Bob) linked by 
a quantum and a classical communication channel. The 
generated key can then be consumed to perform various 
classical cryptographic tasks, such as encoding messages 
with a one-time pad, but this is outside the scope of 
QKD. In the last twenty years it has been shown that it is 
in principle possible to grow the secret despite the chan- 
nels being under the control of a non-disruptive attacker 
(Eve) subject only to the laws of quantum mechanics, a 
task deemed impossible in a completely classical setting; 
this ability stems ultimately from the well-known trade- 
off between acquired knowledge and state disturbance in 
a quantum measurement. For an introduction to the sub- 
ject, the interested reader is pointed to some recent [1, Q 
and forthcoming (lo| reviews. 

Broadly speaking, QKD protocols are based on Alice 
transmitting quantum systems (usually photons) in ran- 
domly selected states out of an alphabet of nonorthogonal 
states. When Bob receives a system, he performs a mea- 
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surement to infer Alice's signal; at the end of the quan- 
tum exchange, the measurement settings (but not the re- 
sults) are publicly compared, and only results from com- 
patible measurements are retained (key sifting). In the 
sifted key, measurement results are ideally deterministi- 
cally correlated, and any eavesdropping activity, which 
fundamentally disturbs the exchanged systems, can be 
monitored. The oldest and best studied QKD procedure, 
described later on, is known under the name of Bennett- 
Brassard 1984 (BB84) protocol [ll|; other procedures, 
very similar in spirit to BB84, are the entanglement- 
based Ekert [ll| and BBM92 ^ protocols. 

QKD protocols so far devised consist of (a) a quantum 
transmission followed by sifting over a public authenti- 
cated classical channel, establishing a highly correlated 
pair of keys at two remote sites; (b) a reconciliation pro- 
cedure over the classical channel, allowing Alice and Bob 
to agree on a shared identical random key; (c) a privacy- 
amplification procedure over the classical channel which 
ensures the security of a shortened key obtained from 
the sifted key [13, [S] ■ An additional necessary task for 
a complete secure protocol is authentication, but this is 
of no major consequence in the present analysis. Since 
the bits of the raw key are all statistically independent, 
no information about the sifted key can be extracted 
from the discarded bits of the raw key, and therefore 
general security analyses are concerned only with sifted 
keys. In both the reconciliation and the privacy ampli- 
fication phases, however, information is exchanged over 
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the classical authenticated channel, which can be per- 
fectly spied, although not modified, by Eve. This is to 
be taken into account, in order that, after a sequence 
of appropriate procedures, both Alice and Bob possess a 
copy of a key, about which Eve knows only a negligible 
amount of information. The security of a QKD protocol, 
therefore, relates directly to a quantitative estimation of 
the amount of information potentially acquired by Eve 
on the sifted and reconciled key. 

The conditions for the security of full QKD protocols 
have been extensively studied; in general, they depend 
on the class of allowed attacks and on the degree of non- 
ideality of the involved channels and cryptographic de- 
vices. In this article only individual attacks, where Eve 
is restricted to interact with and measure each transmit- 
ted signal independently, are considered; moreover, the 
channel is assumed to be noisy and potentially leaking, 
but the other devices are ideal and the quantum exchange 
is analysed only in the limit of very large keys. In this 
scenario, security conditions are often expressed in the 
form of a discarded fraction T(e), that is the portion of 
the sifted and reconciled key that is to be sacrificed in 
order to obtain a final secret key. The discarded fraction 
is a function of the probability that a bit at Alice's site 
and the corresponding bit at Bob's site differ after sifting, 
i.e., the quantum-bit error rate (QBER) e; in the usual 
conservative approach, it must be assumed that errors in 
the sifted key are entirely due to Eve. 

Admittedly, this is not the state of the art in QKD 
security proofs, since the most general class, where all 
signals are made to interact coherently with a very large 
probe which is then optimally measured by Eve (coherent 
attacks), has already been tackled [lB,[l3- Also, scenar- 
ios where Alice and Bob's devices are imperfect and po- 
tentially manipulated by Eve have been considered and 
partially analysed, as well as the case of finite lengths 
for the exchanged keys. Finally, in recent years the def- 
inition itself of what is a secure final key has changed, 
due to the introduction of the notion of composability. 
Literature on these subjects is too large to be even cited 
here; the interested reader should refer to p^ . 

It must be remarked, however, that the case of ideal in- 
dividual attacks still bears some importance because (a) 
proofs for realistic devices and finite key lengths are ulti- 
mately based on proofs for ideal ones; (b) security bounds 
for individual attacks, although conceptually very differ- 
ent, give results rather similar to the case of coherent 
attacks, which is a convincing argument about the effec- 
tiveness of eavesdropping strategies for those researchers 
that see coherent attacks as technologically unfeasible; 
and (c) individual attacks are a sufficiently simple class 
to be readily understood by researchers working on prac- 
tical implementations, and their complete understand- 
ing helps dissipating that aura of phenomenologicality 
which is sometimes associated to security bounds in ac- 
tual QKD protocols (as if a security bound, which is a 
purely mathematical statement and not an observable, 
could be subject to experimental investigation). 



Recently, Kim et al. [ij have claimed to physically 
implement "the most powerful individual-photon attack", 
therefore putting the BB84 protocol's security "to the 
test" Q. Following their suggestion that "the physical 
simulation allows investigation of the fundamental secu- 
rity limit of the BB84 protocol against eavesdropping in 
the presence of realistic physical errors, and it affords the 
opportunity to study the effectiveness of error correction 
and privacy amplification when the BB84 protocol is at- 
tacked", in this article this particular attack 0,01 (from 
now on, the Slutsky- Brandt attack, (SB)[3^) is analysed 
in the context of a complete and efficient QKD protocol. 

For individual eavesdropping attacks, and using an ap- 
propriate reconciliation protocol which does not correlate 
signals, upper bounds on Eve's information can be esti- 
mated via the average collision probability of the sifted 
key. A security bound as a function of the disturbance 
has been derived by Liitkenhaus 0] in both scenarios 
when faulty bits are discarded or corrected, by modelling 
Eve's individual attacks by means of positive-operator- 
valued measurements (POVM). In sections |TT] and IIIII 
the SB attack is analysed, and it is highlighted that 
this attack yields the upper value of T(e), the discarded 
fraction in the privacy amplification stage, obtained by 
Liitkenhaus when faulty bits are rejected, therefore con- 
ferring Liitkenhaus bound the property of being sharp, 
as already pointed out by this author. 

However, the BB84 dialect that is nowadays most 
commonly adopted implements the reconciliation step 
through error correction (instead of error discard), be- 
cause this leads to a larger final secret key, as shown in 
section IIVI During this procedure, assumed perfect for 
simplicity, an amount h{e) of information per sifted bit 
(the Shannon limit [l^) is leaked to Eve and must be 
discarded. In section |Vl it is shown that for such pro- 
tocol the SB attack is not necessarily optimal, and in 
no way threatens the upper bound on T(e) as derived 
by Liitkenhaus for individual attacks on QKD protocols 
with error correction Q. 

Finally, in section IVI Al it is proven that there exist 
a stronger entangling-probe attack, and that this attack 
leads to a discarded fraction that coincides exactly with 
Liitkenhaus upper bound, thus abrogating the regime of 
hope for individual attacks against an ideal BB84 proto- 
col with encrypted error correction subsisting thus far. 

The mathematical techniques used in this article are 
similar to those developed by [l^, [ISl and perfected in 
0, but an important extension is introduced in Sec. ljll C[) 
which allows for a significant simplification of the prob- 
lem. The final result suggests an intriguing relation 
between the maximal collision probability achievable 
through an optimal measurement and the fidelity of the 
(mixed) states to be distinguished. 
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II. MODELLING OF INDIVIDUAL ATTACKS 
AND SECURITY BOUNDS 

In general, a security proof for a given class of attacks 
is made out of three main ingredients. First, one needs 
a mathematical description (a parametrisation) of all el- 
ements of the class. Then, one must estimate how dan- 
gerous each element is with respect to the final goal of 
establishing a secret key shared by Alice and Bob; this 
very much relics on the definition of security, and usually 
takes the form of non-tight bounds. Last, an optimisa- 
tion is to be performed in the parametrised attack space 
in order to bound the power of the most threatening el- 
ement for each value of the disturbance parameter {e.g., 
the QBER). The first two steps in the case of ideal in- 
dividual attacks, according to the approach of Slutsky, 
Rao, Sun and Fainman 0, are reviewed in this section. 



A. The entangling-probe model 

In 1996 Fuchs and Peres 0, introduced the fol- 
lowing individual-attack model. Eve prepares a probe 
and lets it interact with the signal system sent by Alice; 
the joint unitary evolution leaves the two systems in an 
entangled quantum state. The signal is then forwarded 
to Bob, while the probe is stored by Eve and measured 
after the reconciliation stage. Entanglement between the 
system and the probe "induces" a correlation between 
Eve's and Bob's measurements, allowing Eve to obtain 
partial information on the key. This model is known as 
Fuchs-Peres' entangling-probe (FPEP) attack. 

The definition of individual attack does not prevent 
Eve from forwarding to Bob a system with a different 
Hilbcrt space from the original one, a case not covered by 
the FPEP model, It has however been shown [tI. w\. 
[2^ that, if Bob's apparatus can, to some extent, reveal 
the presence of multiple systems in the signal, by adding a 
sufficiently large penalty to the QBER in case of multiple 
detections it is alwa ys p ossible to render these attacks 
non-optimal for Eve. 37 

That the FPEP model indeed covers the full class of 
individual attacks (at least among attacks where Eve 
is forced to measure its system at some point) is a 
consequence of Stinespring's dilation theorem [2^, that 
guarantees that every completely positive and trace- 
preserving map can be built by embedding the input 
state space in the state space of a "larger" system, which 
is then unitarily evolved and subsequently traced down 
to a subsystem isomorphic to the output space. There- 
fore, any quantum channel can be regarded as arising 
from a unitary evolution on a larger (dilated) system. 
Embedding in a larger space can be thought of as ten- 
soring with an auxiliary system (the probe) in a fixed 
initial state, because this provides an intuitive physical 
model. The initial state can moreover be assumed to 
be pure. [3^ Stinespring's theorem is a generalisation of 
Neumark's theorem |24| . that shows that every gener- 



alised measurement on a system can be implemented by 
letting the system interact unitarily with an ancilla, and 
then projectively measuring the latter, [soj 

The explicit FPEP parametrisation for the BB84 pro- 
tocol will now be introduced, following the notation of 
as closely as possible. In BB84, Alice randomly chooses 
a basis from a pair \u)} and of mutually 

unbiased orthogonal bases, and a signal bit, and sends 
to Bob the first element of the basis if the chosen bit is 
0, the second element otherwise. Bob, similarly, chooses, 
randomly and independently from Alice, one of the two 
bases, and performs a von Neumann measurement to de- 
termine the bit. The sifted key is built from those ex- 
changes where the measurements were compatible, i.e., 
when both Alice and Bob chose the same basis. 

If U is the unitary joint evolution of the FPEP attack, 
and |w) is the initial pure state of the probe, the overall 
entangled state after interaction can be decomposed as 



U\a)\w) = \a)\i'aa) + |a)|V'aa) 



(1) 



where a € {u,u,v,v}, and \a) is the state corresponding 
to the complementary bit (the states \ipab) arc neither 
orthogonal nor normalised). When the input state \a) is 
sent by Alice, every outcome b of Bob is therefore asso- 
ciated to an output state of the probe proportional to 
\ipab)- It is convenient 0, [3| to define an orthonormal 
basis {|eo), |ei)}, oriented symmetrically with respect to 
the signal states, which can then be expressed as 



\u) 
\u) 
\v) 
\v) 



■ cos a \eo) 
sin a |eo) 

■ sin a |eo) 
cos a |eo) 



sma \ei), 
cos a |ei), 
cos a |ei), 
sin a lei). 



(2a) 
(2b) 
(2c) 
(2d) 



where a = 7r/8, because the bases are unbiased. Since 
|eo) and |ei) generate the signal space, the action of a 
generic FPEP attack is then fully described by the action 
of U on them; similarly to Eq[Tl one defines 



U\e^)\w) = |eo)|$„o) + |ei)|$„i) 



(3) 



As for the \tpab)'s, the four states l^mn) are generally 
neither normalised nor orthogonal; their number shows 
that the probe space corresponding to a two-level signal 
is effectively four-dimensional. 



B. Attack-space refinement via symmetrisation 

The aforementioned space of attacks is by far too com- 
plicated to be completely explored. However, standard 
techniques based on symmetrisation are available to re- 
duce its size without loosing potential optimal elements. 
The general idea is trivial: if a subset of the space is 
known where all attacks are equivalent, it is sufficient 
to retain only one representant of the subset during the 
search. What is less trivial is how to characterise and 
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find equivalent elements. In the picture of the entangling- 
probe, all measurable quantities are determined by the 
joint state x of the signal and probe after interaction. If 
Pa G {pu, Pui Pv, Pv} is a signal state and u = is 
the initial probe state, then 



X{Pa,UJ,U) = Upa®UjU\ 



(4) 



The effects of an attack (J7, w), both in terms of the 
QBER and Eve's maximum inference power, are sum- 
marised by the statistical distribution of the x's, which 
depends on the signal a-priori distribution that is 



{U,Uj) < > {pa; xiPa,l^,U)}a. 



■ u.u.v.v • 



(5) 
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Since, for BB84, the a-priori probabilities pa = 1/4 are 
the same, attacks to the protocol have equivalent effects 
if the rays of the states are permuted (without violating 
the constraint that the two bases are unbiased) . Readers 
not interested in technicalities may now just retain that 
the simplification of the search space implies that the 
vectors \ip) of Eq.((T]) can be parametrised with only two 
real parameters, and jump to Egs. f^ in Sec. (|II Cp . 

All ray permutations can be generated with only two 
involutions, for instance (1) the basis exchange and (2) 
the bit exchange in the second basis; these two specific 
symmetries are called in the following respectively Ri 
and i?2- However, the approach is more general, and can 
be extended to other cases, for example to the six-state 
variant of BB84 

Let Qi = i?i ® I be a local operator on the joint space 
of the signal and the probe [i^l; if Alice changes her sig- 
nal convention from pa into RiPaR}, and the final den- 
sity matrix x{RiPaR\^ t^, U) is transformed back in Bob's 
laboratory into QlxQii both the QBER and Eve's max- 
imum inference power, which are average quantities, are 
statistically unchanged. It follows, very much in analogy 
to the passive-active picture of a reference-frame change, 
that the attacks {U,uj) and {Q\UQi,io) are equivalent. 
In mathematical terms 

x{p,u,U) = Q\x{R^pR\,u^.U) 0, 

= [Q\UQ,)p®uj{Q^JJQi)^ = xip,u;,QlUQ,). (6) 

Therefore, there is a direct link between a representa- 
tion of the group G of symmetries of the protocol and 
attack equivalence, and this remark can be exploited in 
a useful way. Below we consider the case of finite G, 
which is proper to the BB84 protocol. Since Ri and i?2 
generate the whole representation, by repeated applica- 
tion of Eq 
Ug = QpQ 

since it is always the same 



it can be shown that 
is equivalent ioU = Uo 



for all Rg , the attack 
{oj is omitted here. 



and Qg 



Rg®l). For 



BB84, the relevant group G is [26|, chap. XII, ta- 
ble 7]; the action of the representation is illustrated in 
Fig-©- The order of the group is 8, so that the orbit of 
U has at most 8 elements. 



FIG. 1: A graphical representation of the orbit C/gg[i. .g] gen- 
erated by applying the symmetry group of the BB84 proto- 
col to a generic attack U . The whole orbit can be explored 
using only the involutions -Ri (basis-exchange) and R2 (bit- 
exchange). The attack U is the average of the elements on the 
orbit, operates on an enlarged probe space and is symmetric 
under the BB84 group. The search for optimal elements can 
be restricted to these symmetric attacks. 



Intuitively, a random application by Eve of attacks Ug 
will give another equivalent attack. The idea can be for- 
malised by extending the probe space with an auxiliary 
space with \G\ dimensions. Define 



U^T., Ug®Pg 



and 



UJ — OJ 



(7) 



where Pg = \g){g\ are orthogonal projectors in the aux- 
ihary space, and Vl ~ I^I^^X^gg' 1.9) (.9'l is the density 
matrix of a pure state with Tr(Pgfi) = 1/|G|. The con- 
nection with the intuitive idea is that the projectors in 
the auxiliary space randomly select the C/g's; the con- 
struction of {U ,uj) is represented in Fig.©. 

What is special about the "average" attack ([/, to) built 
in this way is that it is invariant under a group, which 
can be built from the representation of G and some per- 
mutation operators Xg on the auxiliary space. Let 



(8) 



Operators Xg are chosen such that if Q^gU^Qg ~ Ut^^i^i) 
(t)- This is always possible due to 



then XgPpXl = P, 



the fundamental theorem [26|, chap. XII] that any finite 
group of order k is isomorphic to a subgroup of the gen- 
eral symmetric group of all permutations of k elements, 
S(k), which in turn can be naturally represented by the 
set of all fc X /c permutation matrices. It is then sufficient 
to fix one isomorphism and chose Xg as the isomorphic 



image of Qj^; in this way Xg\tj 
trivial matter to verify that 



|7rg(£)). It is now a 



RgURl^Y.lQ\UiQg 



and 



LU ® XgVLXl 



XgPfXl = U 



LO. 



(9) 
(10) 
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One can therefore conclude that, given a group G of pro- 
tocol symmetries, for each attack {U,uj) there exists an 
equivalent attack ([/, uj) which is invariant under all i?g's 
as defined in Eq.®. It follows that the subset containing 
all attacks invariant under such symmetries contains at 
least one optimal element; the search for optimality can 
thus be restricted to that subset. This finding is directly 
relevant to the FPEP parametrisation, because it gen- 
erates constraints for the l^mri)'^ of Eq.Q. In fact, for 
invariant attacks, replacing U with (i?J(g)i?g) {/{Rji^^RgY 
and with Rg\uj) shows that 

URg\e„,)\u;) = ^ i?<,|e„)i?t (11) 

n 

from which, for each symmetry Rg, the value of i?t 
can be calculated and used in constraints of the form 

{^mn\%q) - {<^>.nn\RgRl\%g). (12) 

This formula is clearly valid for all 5 e G, but in practice 
it is sufficient to restrict its application to Ri and i?2- 
Also, it is more convenient to work with the symmetries 
of the state vectors \a) instead of those of the correspond- 
ing rays. This gives a representation of Dg instead of Z?4, 
where redundant elements are included (like \a) —\a), 
which is physically indistinguishable from the identity); 
the generated constraints arc however the same. 

C. The entangling-probe parametrisation 

The authors of the FPEP model remarked that the 
BB84 protocol, as described above, is endowed with 
the basis-exchange symmetries Ri (an involution corre- 
sponding to |eo) <-> |ei)). Then, using essentially the 
same techniques described in Sec. ljll Bp . namely Eg. p^ . 
they showed that an attack-dependent orthonormal basis 
{\wi)}i£0...3 can be found f4l| such that 

|$oo) = Xa\wo) +Xi\wi) + X2\w2) + X3\w3), (13a) 

|$oi)= X5\wi)+Xe\w2), (13b) 

|$io)= Xe\wi) +X5\W2), (13c) 

|$n) = X^lwo) +X2\wi) + Xi\w2) + Xo\w3). (13d) 

With analogous considerations extended to anti-unitary 
symmetries (complex conjugation in the probe space) 
they also showed that all coefficients X are real numbers. 
Note that this parametrisation satisfies ($,nn|$pg) j= 
i^rnnl^pq) = ($pg|$mn), givcu by the Constraints of Ri 
(as previously, the bar indicates the complementary bit). 
The X's are correlated by the fact that U must be a 
unitary operator, hence the additional constraints 

1 = E.=04.2,3,5,6^' = ll^oolP + ll<foi|P, (14a) 
= XiXe+X2X5 = ($oo|*io) = ($ii|$oi); (14b) 

this shows that each FPEP attack, prior to Eve's mea- 
surement, can be described by only four real parameters. 



However, as already said, there exists another symme- 
try in the BB84 protocol which has not been exploited 
by the authors of 0, namely i?2, the bit-exchange sym- 
metry in one basis only. This corresponds to swapping 
the convention for and 1 in one basis while leaving the 
other convention unchanged. The bit-exchange symme- 
try is generated by a Hadamard transformation: 



"|eo)- 




"|eo)" 




- G -0 


Jei). 



(15) 



It is easy to check that \v) ^ \v), while |u) and \u) are 
invariant (actually, \u) has its sign flipped, but this does 
not matter, since the physical state is the same). Using 
R2\ej) = [|eo) + (— l)-'|ei)]/v^, after some elementary 
algebraic passages, using Eq. (|ll|) . one obtains 

i?2|$oo) = 5 (|*oo) + 1*01) + |$io) + 1*11)) , (16a) 

i?2|$oi) = 5 (|$oo) - 1*01) + |$io) - 1*11)) , (16b) 

i?2|$io) = 5 (l^oo) + 1*01) - |$io) - 1*11)) , (16c) 

i?2|$ii) = i (|$oo) - 1*01) - |$io) + 1*11)) • (16d) 

Eq. p^ shows how to use these relations to calcu- 
late additional constraints for (^mn\^pq) products. Of 
course, not all combinations of indexes are interesting, 
because quite a few are already fixed by other symme- 
tries and the unitarity of U. As already seen, there are 
at most four "independent" products, e.g., ($ool*l'oi)i 
('I'oil^oi), (*oo|*ii), and ($oi|«'io)- The most impor- 
tant constraint is obtained by calculating the first one, 

($oo|$oi> = ($oo|i?2i?^|$oi) = XiX5+X2Xe = 0. (17) 

Together with Ea. (jl4bp . this relation proves a funda- 
mental property of the probe space for optimal attacks, 
i.e., this space is the direct sum of two orthogonal sub- 
spaces, one corresponding to bits received correctly by 
Bob and the other to errors in the sifted key, 

Span{|$oo), 1*11)} i Span{|$oi), |$io)} • (18) 

The symmetries analysed so far have also led to the con- 
clusion that, within each subspace, basis vectors have the 
same length, ||$oo|| = H^iijl and ||$oi|| ^ll^ioll, and these 
lengths are related by ||$oo|P + ll'I'oill = 1- To determine 
the full geometry of the probe one therefore only needs 
to parametrise the intra-space products. 

Applying Egs. pB)) to the other three products, namely 
(<I'oi|<&oi), ('i'ool'i'ii), and ($oi|*io) (whose calculation 
is greatly simplified by the previous orthogonality condi- 
tions), one obtains the desired final constraint, 

($oi|*io) + ($oo|*ii) = 1 - 2||$oif • (19) 

It follows the probe space can now be parametrised 
with only two real parameters, the length ||$oi|| and one 
of the two inter-space products. In order to optimise 
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Eve's measurement, it is handier to translate these con- 
straints in terms of the vectors j?/')- Using Defs.([ll [21 [3]), 
and solving for the |'0)'s, one finds 

\il}un) = cos^a|$oo) +sin^Q|cE>ii) + sin a cos a(|<l>io> + l^oi}), 
= cos^a|$oi) - sin'^a|<i)io) + sin a cos a(| $11) - l^oo}), 
= cos^a|$io) - sin'^Q|<i)oi) + sin a cos a(| $11) - |$oo>), 

\'(puu) = cos^a|$ii) + sin^a|$()o) - sin a cos a(|>I>io> + |$oi>), 

and similar relations for signals v and u, which, due 
to the perfect symmetry of the bases, are not relevant 
here. Trivial but lengthy calculations show that the cor- 
respondence between the |'i/')'s and the |i>)'s is unitary 
(although not so easy to spot, since both vectors sets 
are not orthogonal and not normalised), and therefore 
all vector products are preserved. 

Since attack optimisation is performed at constant 
QBER, it is better to have e as a free variable; this is 
easily achieved with the following reasoning. The value 
of the QBER cannot be changed by a local measurement 
by Eve after the signal-probe interaction is terminated, 
and, by definition, does not depend on the reconciliation 
procedure. From Eq.([T]) it is immediate to understand 
that, if signal \a) is sent by Alice, an error shows up at 
Bob's site with probability (V'aa|'0aa)- Considering that 
all signals have the same a-priori probability of 1/4, and 
that the parametrisation, by construction, satisfies the 
basis-exchange symmetry, one concludes that 



a—u,u,v,v 



(^aalV-aa) ^\Y.{^aMa-a) = U^lf ■ (21) 



Therefore, the vectors of the "error set", IV'oi) and 
\'4'w) have length equal to ^/e, and the vectors of 
the "good set", and have length equal to 

Vl — e; moreover, the inter-space products, (V'oolV'ii) 
and ('0oi|'0io): sum up to 1 — 2e. By introducing the 
inter-space imbalance 5, all these relations can be sum- 
marised as in the following table: 



Span{|V'«u), iV'uu)} -L Span{|-0„, 

= llV^rmll^ = 1 - e, 
llV'ufilP = llV^finP = e, 

(V'MtilV'fifi) = 5 - e - (5, 
(■0««l'0fi«) = ^ - e + (S. 



. IV'flu)} 



(22a) 
(22b) 
(22c) 
(22d) 
(22e) 



The imbalance is also limited by the geometrical con- 
straint of scalar products, i.e., Schwartz inequality. 



"5 (V. 


The allowed values for {e,6), 




V -i <(5<+i-|l-2e|, (23) 




\ ; g determined by 


m 1 


Y'^^l |i-e-,5| < l-e, (24a) 




\| \^-e + S\<e, (24b) 


\(o.-y,) 


g^j.g represented on the left. 



In the following of the article the set of equations ((22)) is 
used; still under the name of FPEP parametrisation. 



D. Estimation of Eve's inference power and the 
discarded fraction 

As already explained in the introduction, after key 
reconciliation a procedure called privacy amplification is 
applied to reduce Eve's knowledge to negligible amount 
(assuming Eve is forced to measure at this point). Pri- 
vacy amplification employs universal2 hashing functions 
to compress the reconciled key, of length n, to a final key, 
of length r. The discarded fraction r is then defined as 

n — r , ^ 

T=^. (25) 



The theory of privacy amplification was developed in 
a seminal article by Bennett, Brassard, Crepeau and 
Maurer [lEj . who found a condition for strong security. 
Liitkenhaus [131 used it to bound Eve's average [i^l Shan- 
non information on the final key: for individual attacks, 
the eavesdropper, on average, knows less than 1/ In 2 bits 
of the final key provided 

r(e)> l + log2(Pi), (26) 

where (P^^) is the maximum average collision probability 
of Eve's knowledge of one bit of the reconciled key, for a 
fixed value of the disturbance, the QBER e. Note that, 
under conservative assumptions, all noise on the quan- 
tum channel may be attributed to Eve, but it does not 
have to; therefore, r(e) must be a non decreasing func- 
tion. If, for instance, r(e' > e) < T(e), then Eve could 
perform the attack causing error e, and then pass Bob's 
signal through a depolarising channel with error e' — e. 
Therefore, in the following, all t's are to be considered as 
monotonicised. If S is the random variable correspond- 
ing to the bit sent by Alice, with values s = 0, 1, and M 
is the random variable corresponding to all knowledge 
acquired by Eve, with values to, the (P^) is defined as 



s\M 



(27) 



However, when the approach of is followed, it is 
not necessary to calculate the conditional probabilities 
P{S = s\M = to) nor the marginal probabilities P{M — 
to), because the largest possible value of (P^) can be 
obtained by direct inspection of the state of Eve's probe 
after interaction, as shown in section [Till 



III. DISCARDED FRACTION FOR 
INDIVIDUAL ATTACKS AGAINST A 
PROTOCOL USING "FAULTY BITS DUMPING" 
AS RECONCILIATION METHOD 



In section III CI it was shown that the QBER e is com- 
pletely determined by the signal-probe interaction dur- 
ing transmission. This is not the case for Eve's inference 
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power, which depends also on the reconcihation method. 
Slutsky et al. , followed by [J, d, 3 j considered only 
the case when all errors are discarded from the sifted key. 
An evaluation of the cost of this procedure is postponed 
to Sec. pVj) : for the time being it will be assumed that it 
can be performed without giving Eve any piece of infor- 
mation other than the indexes of the retained bits. 

Of course, it is very relevant to Eve that reconcilia- 
tion is performed through error discard; in fact, her state 
of knowledge on the signal-probe system conditioned on 
Alice sending state \a) changes from that in Eq.(IT]) to a 
pure state, just as if Bob measurement had collapsed the 
signal state into |a). 



U\a)\w) = |a)|V'aa> + |a>|V'aa> 



"collapse" 



\a)\^Paa)- (28) 



If, for instance, the encoding basis was {|u), |u)}. Eve's 
probe, in Eve's view, would be in an equiprobable mix- 
ture of \ipuu) and \ipuu)- In this case, intuitively, the 
largest inference power is given by a measurement that 
maximises the probability to tell the first case apart from 
the second. It is known psi . [29j that optimal ambiguous 
discrimination (corresponding to a minimum of the prob- 
ability Perr of making a wrong guess) can be achieved by 
means of projective measurements. For two pure and nor- 
malised states, \(t>o) and assuming, without lack of 
generality that ((/)o|</>i) € and defining the pure-state 
fidelity as. 



/ = l(0o|0i)|' 



(29) 



the optimal von Neumann measurement is defined by the 
directions \xo/i) = ^o/il^o) + 6*1/0101), where 



0/1 



2x/W 



(30) 



and the minimum error probability turns out to be 
i[l — y/1 — / ]. Building on a result of Levitin [sO, l3lj . 
the authors of 0] showed [43l| that this measurement also 
maximises the average collision probability and the drop 
in Shannon and Renyi entropy, confirming the intuition. 
The maximum collision probability turns out to be 



(Pc) = 1-5/- 



(31) 



Therefore, in the FPEP approach, the problem of opti- 
mising Eve's measurement is really trivial. The optimal 
attack is that which minimises the value of / for a fixed 
value of e. Due to the intrinsic basis symmetry of the 
method, the value of the fidelity does not depend on the 
basis. j44| Using Eqs. (j22b[ ) and (j22dp one then easily finds 



V7 = 



\{'ipuu\^uu)\ 
\lpuu\\ ■ llV'fifil 



\h-e~S\ 



(32) 



which is minimised at fixed e< l/3by(5 = 2e— 1/2 [see 
the allowed range for 6 in Eq. , yielding: 



1 - 3e 



(e < 1/3) 



(33) 



(if e > 1/3, then, with 6 = 1/2 — e, the fidelity is exactly 
zero, i.e., the two cases are perfectly distinguishable). 
Substituting this result in Eq. ((3T|) , and then into Eq. ((26|) 
finally gives the maximum value of the discarded fraction 
(implicit in and explicitly given in Q), 



r(e) = l + log2(F,i)=log2(2-/) 
1 + 2e - 7e2 



(34) 



l0g2 



(l-e)2 



l0g2[l+ 46- 46^-^0(6* 



This formula is valid up to e = 1/3, where the function 
reaches its maximum value, t(1/3) = 1, after which Eve 
enjoys complete knowledge of the key established by Alice 
and Bob (see also the discussion of section HTD]) . 



A. The Slutsky-Brandt attack 

Kim et al. [l| , following a proposal by Brandt Q , ex- 
perimentally simulate a particular eavesdropping attack, 
the Slutsky-Brandt (SB) attack, that is a specific case of 
the general FPEP class previously described. Their prac- 
tical implementation uses a CNOT gate as entangling 
operation, and error-discard as reconciliation procedure. 
This attack can be shown to attain the maximum col- 
lision probability, as given by Ea. ([M)l . and is therefore 
optimal within its class. 

The SB attack is now shortly recalled. Eve employs 
a probe system with the same dimensionality of the sig- 
nal (a qubit), and the entangling CNOT gate uses the 
signal as control and the probe as target. The computa- 
tional basis of the CNOT is the same "symmetric" basis 
{|eo), |ei)} of Eqs.([2]); with some abuse of notation, the 
same symbols |eo) and |ei) are used to indicate an arbi- 
trary basis in Eve's space. The initial probe state is 



1 

V2 



(C + S)\eo) + (C - S)\ei) 



(35) 



where the parameters S and C are sine and cosine of 
some angle, function of the desired QBER e < 1/2: 



S 



C = Vl - 26. 



(36) 



The total system, upon Eve's action, becomes entan- 
gled, and its state can be decomposed according to the 
definition of Eq. U) , giving 



^2^2 %/2 ' 



I , \ 1^ > dct 1 ei - ep 

\'lpuu) = |Te) = — = • 5 j= 

uu y/2 V2 



(37) 



(38) 



Similar equations hold in the other basis. The probability 
of having an error is, as expected, {Te\Te) = 5^/2 = e. 
"Error states", that is the states IV'aa), are characterised 
by independence from the actual signal a, as they are 
always equal to \Tf,). As a consequence of this, when 
an error takes place. Eve has no information at all on 
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the transmitted bit - the entanghng unitary is in fact 
optimised for protocols which discard errors instead of 
correcting them. 

The inference power of the SB attack can be calculated, 
as already seen, from the fidelity of \iJjuu) with respect to 
I'lpuu)', for e < 1/3, it is identical to that of Eq. ([33|l . which 
proves that this attack is optimal in the class of attacks 
on protocols which discard errors of the sifted key: 

rj ^ \{^uu\^uu)\ ^ \2C^~S^\ ^ |l-3e| 

IIV'uull • llV'odI + 1-e • ^ ' 

IV. RECONCILIATION: ERROR DISCARD 
VERSUS ERROR CORRECTION 

As emphasised earlier, a QKD protocol, like BB84, can 
be implemented in many variants, by adopting different 
approaches for reconciliation. Each of these dialects is 
a protocol on its own, and trivially comparing the dis- 
carded fraction for different protocols makes as much 
sense as comparing apples with pears. However, a com- 
mon benchmark can be found in the length of the final 
secret with respect to the length n of the sifted key (not 
the length n of the reconciled key) . 

The problem is further complicated by the fact that 
the privacy-amplification bound is based on the average 
collision probability of the sifted and reconciled key. If 
reconciliation is performed in clear, by exchanging pub- 
lic messages on the classical channel, {P^) of the sifted 
key is modified in ways that are very difficult to account 
for. For this reason, it is established practice to exchange 
reconciliation information in encrypted form, with a one- 
time pad. This, of course, requires a previous secret to 
be shared by Alice and Bob; this secret is consumed dur- 
ing the execution of the protocol, and must enter the 
final balance of secret key production. The alternative 
approach of exchanging public messages and then reduc- 
ing the final key of an equivalent amount has never been 
proven to be more efficient, but it is more difficult to 
justify theoretically (see, e.g., [s^). 

Articles on BB84 with error discard usually do not 
mention an explicit procedure for discarding faulty bits; 
but it is clear that locating all errors in the sifted key 
is exactly as difficult as correcting the string altogether 
(since the output of one procedure can be directly used 
to implement the other one), which implies a minimum 
cost nh{e), where h is the binary entropy function h(e) = 
— elog2e — (1 — e)log2(l — e), due to the Shannon limit 
[Tl |. The secret gain is therefore at most 

Gd = n{l-e)il-Td{e))~nh{e), (40) 

because (1) the sifted key of length n is reduced to a rec- 
onciled key of length fi = 7i(l — e) by discarding the ne 
errors, (2) the reconciled key is compressed by a factor 
1 — Td during privacy amplification, and (3) the cost of 
tight error discard, nh(e), must be subtracted from the 
final balance. The subscript d of r is meant to remember 



that this is the discarded fraction in case of reconcili- 
ation through error discard. This gain can be directly 
compared with that of protocols with error correction. 
In the latter case, n = n (no bits are discarded), and t 
becomes t^. 

Gc^n{l-T,{e))-nh{e). (41) 

Obviously, < < < 1, because more information 
is available to Eve with error discard than with error 
correction (i.e., the location of all bits received as errors, 
and the fact that all retained bits were received without 
errors). One can consider also a case in which errors 
are corrected, but the positions of the corrected spots 
is leaked to Eve:[45j the previous considerations are not 
invalidated. It is immediate to see that error correction 
is always better than error discard, because 

~ = (1 - e)(Trf - + e(l - > 0. (42) 
n 

Therefore, it makes sense to see what happens to 
the "optimal BB84 attack" when reconciliation is done 
through error correction, a case analysed in section [V] 
One may legitimately think that other reconciliation pro- 
cedures could lead to an even larger gain; for instance, 
an algorithm could select an error-free part of the sifted 
string of length n by exchanging a message shorter than 
nh{e), as long as n < n. The overall secret gain is most 
probably not larger than Gc, but this statement has never 
been formally proved. Other variants might be explored, 
like reconciling Alice's key to the sifted key of Bob, in- 
stead of the opposite, or changing both to a third com- 
mon string, or merging reconciliation and privacy am- 
plification into a single step, or even replacing standard 
privacy amplification with some other procedure in order 
to get closer to the I{A : B) — I(A : E) bound. However, 
one should also remember that QKD proofs are not after 
finding the "optimal" protocol, but after proving that a 
given, probably sub-optimal but reasonably efficient pro- 
tocol is secure under some conditions. 

Changing the focus from one protocol to another is 
moreover often not a good idea because QKD proofs are 
a lengthy and expensive collective effort, which must be 
to some extent restarted when the protocol is changed. 
And all this, not to speak of the apparent impossibility to 
parametrise the space of "all possible QKD protocols". 
For QKD protocols, standardisation is more important 
than optimisation. 

V. THE SLUTSKY-BRANDT ATTACK WITH 
AN ERROR-CORRECTION PROCEDURE 

The SB attack will now be analysed in the context 
of a BB84 protocol using encrypted error correction, in 
order to investigate its claimed optimality. Because of 
this choice for reconciliation, the amount of information 
leaked to Eve during the raw exchange plus the knowl- 
edge of the encoding basis is all what concerns the cal- 
culation of the average collision probability. Since only 
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FIG. 2: The fraction of the sifted key that must be discarded 
during privacy amplification in order to counter a SB attack 
against a protocol with encrypted error correction, Ea.(|45|. 
versus the QBER e compared with Liitkenhaus bound [3, 
Ea. (|46|l . The first curve reaches its maximum at e 0.277, 
the bound at e = 0.5, where its value is 1. The curves are 
non-decreasing, see the discussion in section III D I 



SB attack, the two curves merging only at e = 0. For 
small error rates, most bits are exchanged correctly and, 
as the SB attack on correct bits is optimal, the curves 
converge. When more errors are introduced. Eve's lack 
of information on faulty bits weakens her attack. 

This shows that in a QKD protocol with encrypted er- 
ror correction, the SB attack docs not fill the known up- 
per bound, leaving potential room for stronger individual 
attacks. The SB curve is however a lower bound, since 
the eavesdropping strategy is given explicitly. In the 
next section, the question will be investigated whether 
a stronger FPEP attack can be found, by appropriately 
balancing the amount of information Eve can gain from 
error-free bits and from bits received incorrectly by Bob. 

VI. AN OPTIMAL ATTACK AGAINST BB84 
WITH ERROR CORRECTION 

A. With leakage of error positions 



individual attacks are allowed, one can consider Eve's 
activity as being performed on two separate strings of 
71(1 — e) correct bits and ne faulty bits respectively. The 
discarded fraction can thus be written as 



T(e) = (1 — e)r= + er^. 



(43) 



where the first term is related to correct bits and the 
second one to faulty bits; this expression is equivalent to 



T(e) = l + log2((P,U 



(44) 



where (Pc=) and {Pl^) are the individual average col- 
lision probabilities for error-free and faulty bits respec- 
tively. T= is obviously the same quantity determined in 
section HIl for the SB attack, see Eq. ([Ml) . To calculate 
the amount of information leaked to Eve from erroneous 
bits, note that when the bit measured by Bob is wrong, 
the state of the probe collapses to |Te), Eg. ([55]) . indepen- 
dently from the bit sent by Alice and the encoding basis. 
Therefore, Eve has no mean to distinguish between Al- 
ice's two equiprobable bits, and consequently = 0. 
Using Eqs.dlSl) and ([M]) one finds 

r(e) = (1 - e) log2(l + 4e - 46^ + 0{e^)) 

= log2 (1 + 4e - 4e2 - 126^ + 0{e^)) . (45) 

This discarded fraction can now be compared to the 
general scenario of individual attacks considered by 
Liitkenhaus in the momentous paper Q, where the au- 
thor concludes that T(e) is bounded by 



T(e) < log2(l + 4e - 4e^ 



(46) 



In figure m the discarded fraction necessary to counter 
a SB attack is compared with Liitkenhaus bound (which 
was not claimed to be tight). The latter is always higher, 
hence stronger, than the security curve derived from the 



This section revisits the FPEP class of attacks against 
a BB84 QKD protocol where errors of the sifted key are 
corrected; however, it is assumed that the positions of 
these errors become known to the eavesdropper. This 
latter apparently peculiar hypothesis is investigated also 
in 0, where the author shows that, due to spoiling in- 
formation, this case can be used to draw an upper bound 
also for more secure protocols where Eve has no informa- 
tion about which bits were received incorrectly by Bob. 

The approach to the security proof is very similar to 
that presented in section IIIIl the difference being, that 
here, for a given, known encoding basis, Eve must dis- 
tinguish between two pure states for bits received cor- 
rectly, and two different pure states for bits received in- 
correctly, since there are two possibilities for the "col- 
lapse" of Eq. p8|) . For instance, if the basis is {|u), 
and the bit was received incorrectly (which happened 
with probability e). Eve must distinguish between \'4'uu) 
and IV'oti); if the bit was instead received correctly, the 
two states are, as before, IV'uu) and IV'om)- The results 
for the second encoding basis are identical, due to the 
intrinsic symmetry of the FPEP method. Ea. ([5T|) is thus 
changed into 



(^> = (l-i/H)"'^(l-i/[^]) 



(47) 



with /[^] and /[^j defined by the following expressions 
[which are then simplified with Eqs. (f22bl [22c l[2^[22el) ]. 
where the imbalance 5 is constrained by Eq. 



\{->PuuWuu)\ \\-e-5\ 



|(V'«a|V'«u)l 



1 -e 



(48a) 
(48b) 



In order to find the optimal attack, it is now sufficient 
to maximise the collision probability in Ea. (|47p over 5. 
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It is easier to visualise the optimisation problem through 
the discarded fraction. In fact, note that 

T = (1 - e)log2(2 - /h) + elog2(2 - /[^]) 
< log2 [(1 - e)(2 - /h) + e(2 - /[^])] . (49) 

Finding the maximum 2S = —(1 — 2e)'^ of the upper 
bound is trivial since the argument is a second-degree 
polynomial in 5. But, for this value of (5, the two fidelities 
arc equal, and therefore inequality ((49l) is filled, and the 
optimisation problem is solved. One obtains 

/[=] =/m -/mi„(e) = (l-2e)2, and (50) 
T(e) = log2 [2 - /„,in(e)] = log2(l + 4e - 4e^), (51) 



which is exactly Liitkenhaus bound of Eq. (|46|) . Whereas 
previously this upper bound allowed some margin for 
lower security bounds to be found, the present optimisa- 
tion proves it to be tight when error positions are leaked. 
[46t Note that, due to the symmetry e ^ 1 — e, the dis- 
carded fraction cannot be a monotonous curve in this 
case. Above e = 50%, Eve's tactic for total knowledge 
cannot be modelled by the unitary matrix of the FPEP 
parametrisation; an additional dissipative evolution on 
Bob's bit is necessary. 



B. Without leakage of error positions 

The previous section considered the implementation of 
a QKD protocol with error correction and leakage of the 
positions of the errors, because that assumption makes 
the mathematical derivation particularly simple. How- 
ever, more secure error-correcting protocols can be de- 
vised, in which Eve has no access to this piece of in- 
formation. This section investigates whether a different 
bound is proper to this instance. 

With Eve's assumed lack of knowledge on the error 
positions, the final state of the probe after the entangling 
evolution and the "collapse" at Bob's site is the density 
matrix a = TrBob(x)i with x being the joint state of the 
probe and the signal. The state a will be a statistical 
mixture, over Bob's possible outcomes; namely 



aa I 



(52) 



when the input state \a) is sent by Alice; note that {ipaa) 
and \ipaa) arc not normalised; if the normalised vectors 
were used instead, the two addends would have a factor 
1 — e and e respectively in front. Eve must distinguish 
between the two density matrices ensuing from the two 
equiprobable states \a) of Alice, with a € {u,u}. 

Suppose that Eve implements the following measure- 
ment strategy, on which there is, a-priori, no claim of 
optimality. First, she performs a projective measure- 
ment to separate the {{ipuu) , \''Puu)} subspace from the 
ili'uu), IV'flti)} subspace (finding the first case with proba- 
bility 1— e, and the second one with probability e, but this 



is irrelevant); the separation is possible because the two 
subspaces are orthogonal, as shown in Sec. (|II Cp . Then, 
if the first outcome was found, she proceeds with the 
same measurement of Sec. (|VI A[) for this case, achieving 
a collision probability equal to /[=] ; similarly, for the sec- 
ond case, she achieves /[^j. Given that, for these two 
measurements, both /[^j and /[^j have the same value 
/min(e) = (1 — 2e)^, the average {P^) turns out to be the 
same as for the case of error correction with leakage of 
error positions. 

Therefore, there exists a measurement strategy which 
is ignorant of the positions of the errors and fills the 
bound of Eq. ([?T|) . It is however obvious that all attack 
strategies that can be implemented without this piece of 
knowledge can be implemented also if it is available: in 
other words, the set of allowed attacks without leakage 
is strictly included in the set with leakage, and therefore, 
the security bound for the current case cannot exceed the 
security bound of Scc. ljVl Ap . Thus, the explicit attack 
just shown implies that the two bounds are the same, 
and that the attack itself is optimal. 

It is remarkable that, similarly to Ea. ipT]) . also in this 
case the maximum collision probability is linked to the 
fidelity [33j of the conditional density matrices cr„ and 
CTa . The calculation is greatly simplified by the subspaces 
il'ipuu), IV'aa)} and {\ipuu), \ipuu)} being orthogonal; using 
Eqs. ((48)) one obtains 



/(o-«,cra) = Tr^ 
= {\-2-e-S\ 



1 



= [(1 - e)/[Ij + e/J] 
-<5|)'^(l-2e)^ (53) 



and therefore {P^) = 1 — This identity may be true 
here only due to the large number of constraints dictated 
by the symmetries of the BB84 protocol. However, it 
would be interesting to know whether the result holds 
more generally. This problem is somehow similar to that 
of minimum error probability or accessible information. 
Despite intuition, it is known [3l|, [s^l that these two are 
not equivalent for mixed states. It is likely that the max- 
imisation of the collision probability is still a different 
problem. Formally, the problem would read like this: 
provided a flat bit S is transmitted through a quantum 
channel, encoded in non-orthogonal density matrices po 
and pi , what is the maximum collision probability of the 
distribution of S that can be reconstructed by the re- 
ceiver by means of quantum measurements? 



VII. CONCLUSIONS 

It has been shown that no real "threat" to the security 
of BB84 QKD protocols stems from recent developments 
in implementing an entangling probe attack. Not only 
is this attack (claimed to be the "most powerful indi- 
vidual attack" [l|, 01) not threatening the security bound 
derived previously by Liitkenhaus [Tj , but it is also shown 
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to be sub-optimal in an efficient and complete QKD im- 
plementation. The SB attack is only an optimal attack 
for those specific types of QKD protocols in which the 
reconciliation procedure is to somehow discard all faulty 
bits, which is a less desirable scheme as it leads to a 
shorter final shared key. 

It should also be pointed out that experiments cannot 
allow for the investigation of fundamental security lim- 
its, as "security" is not an observable; they can only shed 
light on the technological feasibility of specific eavesdrop- 
ping attacks. 

In view of the previous considerations, the recent head- 
line in Nature purporting that "quantum cryptography 
is hacked" [1, @| as a result of the successful implementa- 
tion of an SB attack is an unfortunate misunderstanding. 
In fact, the researchers whose work is highlighted in the 
news feature do not themselves make any such sensation- 
alistic claim, even though they fail to mention existing 
security proofs and do not comment on the consequences 
their attack has on existing security bounds. 

In this paper it has been shown that improved analysis 
of FPEP attacks leads to finding explicit optimal attacks 
for the case considered in Q , filling the bound introduced 
there, which therefore turns out to be sharp. This holds 
independently of whether error positions are leaked to 
Eve. The analysis gives a simple recipe for devising opti- 
mal individual attacks, the most powerful eavesdropping 
attacks that could be implemented with nowadays tech- 
nology. The complete statement is the following. An 



ideal BB84 QKD exchange where the dimensionality of 
the signal space is not changed and the imperfection of 
the experimental apparatus consists at most in a noisy 
and lossy channel, and for which reconciliation through 
error correction is performed, followed by privacy ampli- 
fication, is strongly secure on average against individual 
attacks if and only if the discarded fraction r(e) satisfies 

T(e) > log2(l + 4e-4e2), 

(where e is the QBER of the sifted key) both in the 
case that the positions of errors come to be known to 
the eavesdropper, and in the case that they do not. 
A byproduct of this analysis is the question whether 
the maximum collision probability in distinguishing two 
mixed density matrices is always one minus one half of 
the fidelity of the carrier states. 
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